According to the 2016 Verizon Data Breach survey, 63% of confirmed data breaches involved weak, default or stolen passwords. And since today is world password day I thought it would be fitting to write about the security risks around traditional passwords as well as some of the reasons we haven’t completely eliminated them yet.

Let’s start off with the challenges around traditional passwords. The biggest challenge to traditional passwords is that we all have too many to remember. There’s been a lot a research about the number of passwords everyone has and depending on which one you believe it seems to range from 20 – 40 passwords for both professional and personal. I know I have five professional passwords that I use on a daily basis, with an additional five that I use on a regular basis. In addition, I have at least five personal passwords that I use on a regular basis and countless others that I use on a semi-regular basis. Exacerbating the situation regarding the number of passwords I have to remember are the myriad password requirements (length, special characters, capitals) each account has and the frequency in which they need to be changed. With all these ever-changing passwords and requirements, it’s no wonder we use poor password practices like writing them down, using the same password for multiple accounts, and using commonly known things like our kids’ birthdays so we can remember them all (note: I do NOT use my kids’ birthdays as passwords).

So what’s the solution? I think using two-factor authentication to create a one-time password is a great solution as it changes with each use, can’t be written down and there’s nothing to forget. Two-factor authentication is not a new concept. In fact, the technology has been around for over 30 years! So why haven’t more organizations adopted it? Well, historically, implementing two-factor authentication was expensive, difficult to implement and got a lot of pushback from the user community. However, times of changed and two-factor authentication solutions have changed as well. With options like self-registration and software tokens for your phone, and even options for out-of-band authentication it’s not your 1990’s two-factor authentication.